Access to repository via Veeam Recovery media

[martin_zidu]

Hello,

We have quite huge issue with an access to specific repositories with agent backups via Recovery Media.

I have found out, that repository access permissions in VB&R are ignored and only solution (which I have found out) is to provide user/group with "restore operator" rights in VB&R. In that case, I will get all repositories with agents backup inside.

But this is not possible for us...because if we provide specific group with restore operator, to get access via recovery media, they are also able to restore everything via console....and this is huge hole in security, which really limit us with using Veeam Agents backup in our environment worldwide with more than 30 local veeam servers and 500 agent licences bought....

So we are able to backup machines...its OK...but we definatelly need to have possibility to restrict access to specific repositories for specific AD groups......any solution how to get access to repos via Recovery Media, but don´t have access to restore via console for Virtual/Baremetal together?

I think that its also quite issue regarding upcoming GDPR legislation.

Thanks for hint guys. We are spending hundrets thousand euros per year for Veeam licenses and therefore we would like to get best from it

[Dima P.]

Hello Martin.

I have found out, that repository access permissions in VB&R are ignored and only solution (which I have found out) is to provide user/group with "restore operator" rights in VB&R.

Can you please elaborate this one? If user is not listed under repository permissions tab in Veeam B&R he should not be able to connect to Veeam B&R server.

[martin_zidu]

Hi there,

doesn´t matter which permissions I will set directly to repository....even If I have set there allow to everyone...user will not get backup list in Recovery Media until he is granted at least as "restore operator" in VB&R.

[Dima P.]

Thanks Martin. Are these agents controlled by Veeam Backup & Replication server or you are referring to standalone deployments?

[martin_zidu]

Managed by VB&R..

We have started worldwide project for backup of production PCs via VB&R as a single point of administration for our backups.

Solution is working perfectly with deploying of agent and policies, but we have found out this limitation, since we need to be able to provide "restore" possibility to specific group of users (maintenance) to cover 24/7 support in production environment (we are automotive company).

But we cannot provide these users with restore operator in VB&R. Its simply to risky...maintenance cannot access to servers...

Also we have 3 specific repositories for agents in every location (Production PC, Office PC and Servers) and we need to gain access just to Production repository....

[Dima P.]

Thank you for the clarification. Indeed there is no way to limit the restore operator role to specific items but it sounds like a good feature request. What tasks should be enough for such support user role in your case? Ability to perform recovery BMR from the given repository, recovery media creation from the backup file, some basic administration tasks for hosts (i.e. backup agent deployment / Rescan)?

[martin_zidu]

Hi Dmitry,

from our point of view, we would really like to stick to "agent restore operators" so:

1. File-level-restore for agents from given repository
2. Create recovery media for agents in given repository
3. Perform recovery in BMR from given repository

This should be almost perfect. Other tasks like rescan, deployment and policy creation should remain for admin rights in VB&R (local IT task)

Everything what will separate both environments (Virtual and Physical) is perfect...

Slightly another thing is referring to my other thread...it means to have possibility for those "Agent restore operators" to have access to Agent tasks directly on machine...but I think, that this is UAC issue, since you need local admin rights to open app...we are currently investigating, if AppSense software we are using can handle this...we will see...

Really thank you for your cooperation....really appreciate it...

[martin_zidu]

Hi Dmitry,

any news on this? I know that this possibly cannot be solved quite fast, but I would like to at least know the status (consideration).

Since this really not allow us to rollout full functionality of product.

Thanks for understanding,

Cheers

Martin

[Dima P.]

Hello Martin,

Thanks again. I am discussing your request with RnD team.

[martin_zidu]

Hi Dmitry,

any news about this request? Does it will be part of next release? And as asked in another thread, any rough idea about next release timeline?

[Dima P.]

Martin,

I've added this feature request to the list of potential improvements but I cant provide you the ETA. Thanks!

[martin_zidu]

Hi Dmitry,

it´s almost 3/4 a year and update 4 is released.

I have seen in release notes, that File-level restore is now possible without admin privileges.

How is it with Media recovery restore?

Do you still needs to be VB&R admin (restore operator) to have access to Agent repository during restore process? Or it can be now somehow specified?

This one is still pain for us, since we need to provide specified group of people with Full restore possibility (only for agents, not to have access to virtual restore) and so far were not possible without to be Veeam admin.

As mentioned before, repository access restrictions are ignored by restore media.

Thanks a lot for an information

Martin

[Dima P.]

Hello Martin,

We've added granular restore scopes in U4 to the Enterprise Manager (so you can define the specific set of computers/protection groups or even Veeam B&R server) and assign it to a specific user. Once done user can perform self-service restore via Enterprise Manager. Will such solution work for day-to-day file recoveries in your organization?

Recovery Media behavior was not changed in Update 4, RE still requires administrative account, but the improvement is planned.

[martin_zidu]

Yeah,

granular restore is good move forward and solve some issues in case of missing config files, production data etc, yet still it does not solve Full machine restore via recovery media.

As I am thinking about that, it´s obvious, that repository permissions are not taken into account, since you need to authenticate into VB&R server during restore process.

Still big security risk, since user needs to be at least "restore operator" to get access to Agent restore points via recovery media.

We definately would appreciate different approach:

- additional security group in VB&R to have access only to Agent repositories
- authentication just to given repositories in case of recovery media

one of those improvements is really must for us, to use most of Agent backups

As mentioned before, agent backups are more "Production PC based" then virtual server environment and therefore different people needs to work with it (Maintenance, Production technicians ...) to cover 24/7 production...mainly overnight shifts.

I know, that if we grant user with restore operator and teach them just to use recovery media will maybe cover our problem, but still there is a chance, that someone handy will be able to install console, authenticate into Veeam server and then....he will have access to whole environment and this is simply too big security risk...without any discussion.

Will hope, that VB&R 10 will solve this....hope is everything I with this issue

Hope you will consider it, since this improvement seems to me as a really usefull for many production sites.

Martin

[Dima P.]

Martin,

I completely understand the requirement for role-based access to the repository during Bare Metal Recovery, moreover this request remains valid in our system. Thank you for your honest feedback we will discuss it with RnD team. Cheers!

[Petru.]

Any news about this feature from RnD team?
When it will be available?

[HannesK]

Hello,
and welcome to the forums.

Depending on the size of your environment, it might be worth to consider Cloud Connect Enterprise (but it requires that you have a significant size environment). Your local Veeam rep can help you with that option.

Best regards,
Hannes

[Petru.]

One more year has passed, and the only information is that the request for role-based access to the repository during Bare Metal Recovery is being discussed.
Could you tell us will it be implemented? When?
I was thinking about a workaround until it will be released by sharing the path with the backups for Veeam Agent, but the folders name are very difficult to write "VeeamAgentUser0d88ef7c-2851-11eb-11ec-a3d7-3024a8382500" could the folder name be changed like the folders names for server backups with veeam agent. The jobs for the server creates folder with the hostname of the pc that has backup.

[HannesK]

Hello,
it's something we are working on (not only discussing ). Watch out for presentations on agent topics at VeeamON (agenda is not finalized yet). Your Veeam Systems Engineer should also be able to provide more details.

Best regards,
Hannes